As computer systems become ubiquitous in both the home and industry, the ability for any one individual to access applications and data has increased dramatically. Although such ease of access has streamlined many tasks such as paying bills, ordering supplies, and searching for information, the risk of providing the wrong data or functionality to the wrong person can be fatal to an organization. Instances of data breaches at many consumer-product companies and the need to comply with certain statutory measures (e.g., Health Insurance Portability and Accountability Act (HIPAA), Child Online Protection Act (COPA), Sarbanes-Oxley (SOX), etc.) have forced many companies and institutions to implement much stricter system access policies.
Healthcare regulations mandate that “protected health information” (PHI) be accessible only by a caregiver explicitly authorized to access the information. Computer systems used in the healthcare sector, therefore, require proper user authentication before granting access to and/or allowing alterations in PHI; this not only ensures patient privacy and safety, but also permits changes made to patient records to be audited later. User authentication and subsequent access to PHI (or other secure data) and/or to software applications utilizing such data is generally governed by well-known authentication sequences and access workflows. Challenges arise, however, in circumstances where multiple users share a workstation. In the event of a user transition, it may be necessary to prevent the new user from accessing or even viewing information utilized on-screen by the departing user.
One approach employed extensively in the healthcare sector, and which is derivative of the well-known desktop security model used with personal computers, involves security software that controls the workflow following a user switch to (1) prevent the new user from accessing the departing user's desktop, e.g., by shutting down all the applications launched by the departing user or otherwise disabling access, and (2) close the departing user's desktop and provide a new desktop personalized to the new user. Clearing and restarting the desktop introduces a significant delay due to the need for the operating system to release resources associated with one user before they are reallocated for the new user. These operations are generally tolerable between work shifts since initial log-in delays are common in most secure networks and occur only once. But the delays can be unduly disruptive in fast-paced environments, such as hospitals, where workers constantly move from one computer to another and control of a workstation must often shift on a frequent and unpredictable basis. For example, a treating physician may require immediate access to a patient's records, and will utilize the nearest workstation to obtain it; a long transition procedure inconveniences both the physician and the workstation user being “bumped”—particularly the latter if such interruptions occur often.
To reduce the delay associated with restarting a new desktop each time a transition occurs, hospitals use different strategies to isolate one user's applications from another. A common technique is to operate the workstation in a “kiosk mode” where a common desktop is shared by all users using a generic system account with limited access to system functionalities. Users in this kiosk mode log on via a “screen-saver” application that, upon a user switch, locks the desktop and shuts down (or logs the departing user off) all applications before unlocking the generic desktop for the new user; the screen saver provides a log-on screen similar to that provided by the operating system. Eliminating the need to switch “ownership” of the desktop reduces system delays, and each new user starts with a pristine instance of the shared desktop (since all applications started by the previous user are terminated).
A second technique relies on running the user's session on a back-end server and delivering a “virtualized desktop” to the workstation using a terminal emulation program (such as CITRIX RECEIVER, VMWare VIEW or Microsoft RDP). Upon a user switch, the screen-saver program disconnects the terminal emulation program from one server session (blocking user access) and then reconnects the emulator to another user's session. Since a user's session is never terminated—it runs on the back-end server—this approach allows the user to roam from one device to another while maintaining the state of all applications she is running.
While both of these approaches reduce delay relative to full shut-down and restart operations, they still take time, and therefore are better suited to long-term transitions (e.g., between shifts) than to handling priority interruptions in which a computer being used by one user must be quickly (and briefly) relinquished to another user for a critical task. With either of the conventional approaches described above, the interrupted user, on giving up the computer, still needs to log off (possibly losing work with active applications) before allowing the interrupting user to log in. All of these operations take time and induce frustration in circumstances involving frequent, temporary workstation transfers.